New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh - PowerPoint PPT Presentation

New Privacy in Android 11 and OWASP Mobile Security Albert Hsieh

OWASP 現有大約 200 個開源免費專案

OWASP Flagship Projects Tool Projects OWASP Amass OWASP CSRFGuard OWASP Defectdojo OWASP Dependency-Check OWASP Dependency-Track OWASP Juice Shop OWASP OWTF Documentation Projects OWASP Security Shepherd OWASP Application Security Verification Standard OWASP ZAP OWASP Cheat Sheet Series OWASP Mobile Security Testing Guide Code Projects OWASP SAMM OWASP ModSecurity Core Rule Set OWASP Top Ten OWASP Web Security Testing Guide

OWASP.Mobile

What’s new on Android 11 1. Scoped storage enforcement 2. One-time permissions 3. Permissions auto-reset 4. Background location access 5. Package visibility 6. Foreground service types https://developer.android.com/preview/privacy

Is That Security Or Privacy? Privacy Security 保護可辨識個人之 保護所有資訊 非公開資訊 and more!

Permissions

How Powerful is Your Flashlight?

Permissions, Permissions Everywhere! https://www.zdnet.com/article/most-android-flashlight- apps-request-an-absurd-number-of-permissions/

One-time Permissions

Only this time!

Only this time!

Only this time!

Background Location Access

Location Permission is special it’s split in Foreground and Background access Foreground access (App is visible or running a Foreground Service with Location type) ● ACCESS_COARSE_LOCATION ● ACCESS_FINE_LOCATION (accurate location) Background access (i.e Geofence or WorkManager/AlarmManager in BG) ● ACCESS_BACKGROUND_LOCATION

Foreground location access ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION A ctivi vityC yCom ompa pat.reque uest stPerm rmis issi sions ns( /* Activity */ this, /* Request BG alone */ arrayOf ( ACCE CCESS_CO COAR ARSE_LOCA CATIO TION ), /* * Requ questCode de */ */ 100 100 ) ● On all versions, this requests foreground access. ● On pre-Android 10, background access is implied.

Target API level Background location access 'R' request incrementally only after Foreground has been granted Request At some point If show rational is true: ACCESS_BACKGROUND_LOCATION ACCESS_COARSE_LOCATION IN-CONTEXT UI ( you define it ) My App

Permissions Auto-reset

Target API level Auto-reset permissions 'R'

Target API level Auto-reset permissions 'R' Provide family safety Paired to companion Smart device devices connectivity app Sync data Setti ting ngs. s.ACT ACTIO ION_A _APPLIC PLICATION_DETA TION_DETAILS_ ILS_SET ETTIN TINGS GS

Foreground Service Types

Foreground Service Types Android 10 ● Introduced the concept of types Companion device Sync Media Projection Media Player Enforced to ensure accountability for c access Location Phone Call

Target API level Foreground Service Types 'R' Android 11 <manifest> ... pe= "camera "camera" /> <service ... android: droid:for foreg eground roundServi ervice ceTy Type </manifest>

Target API level Foreground Service Types 'R' Android 11 <manifest> ... pe= "camera|m "camera|mic icrop rophone" hone" /> <service ... android: droid:for foreg eground roundServi ervice ceTy Type </manifest>

Package Visibility

Seeing all installed apps On Android 10 and older…. package kageManage Manager. r.getInstalledP getInstalledPackage ckages( s(0)

Target API level Default behavior 'R' getPackageInfo( "another. er.app" app" , 0) NameNotFound Exception

Query and interact with specific apps Declare package names in <queries> element of manifest to ‘see’ specific apps. <manifest> <queries> <package android:name= "com.example.store" /> <package android:name= "com.example.service" /> ... </queries> ... </manifest>

Query and interact with apps based on intent filters Declare intents in <queries> element to ‘see’ apps that handle certain intents. <manifest> <queries> <intent> <action android:name= "android.intent.action.SEND" /> <data android:mimeType= "image/jpeg" /> </intent> </queries> ... </manifest>

Interacting with all apps ● Shouldn’t be necessary for most apps. ● Available “Normal” permission that allows querying and interacting with all installed apps. ion. QUE UERY RY_AL _ALL_PA L_PACKAG KAGES ES " > <uses-permission android:name= " andro roid id.pe .permi rmissio Look for Google Play to provide upcoming guidelines for apps that need this permission. "Let us know your use cases” by Google….

Scoped Storage

Exactly the data that user wants to share and no more

New in Android 11

OWASP.Mobile

OWASP.Mobile https://owasp.org/www-project-mobile-security/

Secure Software Development Life Cycle (SSDLC) M Top 10 MASVS MSTG Response Hacking Playground M Security Chklst

Mobile Application Security Verification Standard (MASVS) • Forked from OWASP ASVS • Best practices for security requirements • Mobile-specific • high-level • OS-agnostic

Security Requirements • V1: Architecture, Design and Threat Modeling • V2: Data Storage and Privacy • V3: Cryptography • V4: Authentication and Session Management • V5: Network Communication • V6: Platform Interaction • V7: Code Quality and Build Setting • V8: Resilience

Levels MASVS-L1 : all mobile apps. MASVS-L2 : apps handling sensitive data and/or functionality. MASVS-R : apps handling highly sensitive data and may serve as a means of protecting intellectual property or tamper-proofing an app. ▪ L1 Alarm App ▪ L2 Health App ▪ L1+R Game App ▪ L2+R Banking App

V2: Data Storage and Privacy (part)

V3: Cryptography (part)

V5: Network Communication (part)

V5: Network Communication (part)

V6: Platform Interaction (part)

RESILIENCE? Yes, resilience!

V8: Resilience (part)

HOW TO USE THE MASVS? Bring Security to system requirement phase! ▸ As secure coding checklist ▸ As security testing methodologies ▸ For secure development training

To Conclude….

Why do we need security?

How much does that cost

Find the bugs earlier

Create fewer bugs https://blog.parasoft.com/what-is-the-shift-left-approach-to-software-testing

OWASP.Mobile https://owasp.org/www-project-mobile-security/

SHIFT LEFT! M Top 10 MASVS MSTG Response Hacking Playground M Security Chklst Shift Left for Security!

Thank you!